Fixes #1963229. Introduces Context#isRestricted().

A restricted Context is a special type of Context that prevents specific features
from being used. For instance, android:onClick, used by View, can be dangerous when
used from within apps widgets. By using a restricted Context to inflate apps widgets,
widgets providers are prevented from using android:onClick.

api/current.xml

@@ -27810,6 +27810,17 @@
 <parameter name="modeFlags" type="int">
 </parameter>
 </method>
+<method name="isRestricted"
+ return="boolean"
+ abstract="false"
+ native="false"
+ synchronized="false"
+ static="false"
+ final="false"
+ deprecated="not deprecated"
+ visibility="public"
+>
+</method>
 <method name="obtainStyledAttributes"
  return="android.content.res.TypedArray"
  abstract="false"
@@ -28323,6 +28334,17 @@
  visibility="public"
 >
 </field>
+<field name="CONTEXT_RESTRICTED"
+ type="int"
+ transient="false"
+ volatile="false"
+ value="4"
+ static="true"
+ final="true"
+ deprecated="not deprecated"
+ visibility="public"
+>
+</field>
 <field name="INPUT_METHOD_SERVICE"
  type="java.lang.String"
  transient="false"

core/java/android/app/ApplicationContext.java

@@ -184,6 +184,7 @@ class ApplicationContext extends Context {
     private StatusBarManager mStatusBarManager = null;
     private TelephonyManager mTelephonyManager = null;
     private ClipboardManager mClipboardManager = null;
+    private boolean mRestricted;
 
     private final Object mSync = new Object();
 
@@ -1336,6 +1337,7 @@ class ApplicationContext extends Context {
             mMainThread.getPackageInfo(packageName, flags);
         if (pi != null) {
             ApplicationContext c = new ApplicationContext();
+            c.mRestricted = (flags & CONTEXT_RESTRICTED) == CONTEXT_RESTRICTED;
             c.init(pi, null, mMainThread);
             if (c.mResources != null) {
                 return c;
@@ -1347,6 +1349,11 @@ class ApplicationContext extends Context {
             "Application package " + packageName + " not found");
     }
 
+    @Override
+    public boolean isRestricted() {
+        return mRestricted;
+    }
+
     private File getDataDirFile() {
         if (mPackageInfo != null) {
             return mPackageInfo.getDataDirFile();

core/java/android/appwidget/AppWidgetHostView.java

@@ -269,7 +269,7 @@ public class AppWidgetHostView extends FrameLayout {
         try {
             if (mInfo != null) {
                 Context theirContext = mContext.createPackageContext(
-                        mInfo.provider.getPackageName(), 0 /* no flags */);
+                        mInfo.provider.getPackageName(), Context.CONTEXT_RESTRICTED);
                 LayoutInflater inflater = (LayoutInflater)
                         theirContext.getSystemService(Context.LAYOUT_INFLATER_SERVICE);
                 inflater = inflater.cloneInContext(theirContext);

core/java/android/content/Context.java

@@ -1654,6 +1654,13 @@ public abstract class Context {
      * with extreme care!
      */
     public static final int CONTEXT_IGNORE_SECURITY = 0x00000002;
+    
+    /**
+     * Flag for use with {@link #createPackageContext}: a restricted context may
+     * disable specific features. For instance, a View associated with a restricted
+     * context would ignore particular XML attributes.
+     */
+    public static final int CONTEXT_RESTRICTED = 0x00000004;
 
     /**
      * Return a new Context object for the given application name.  This
@@ -1682,4 +1689,15 @@ public abstract class Context {
      */
     public abstract Context createPackageContext(String packageName,
             int flags) throws PackageManager.NameNotFoundException;
+
+    /**
+     * Indicates whether this Context is restricted.
+     * 
+     * @return True if this Context is restricted, false otherwise.
+     * 
+     * @see #CONTEXT_RESTRICTED
+     */
+    public boolean isRestricted() {
+        return false;
+    }
 }

core/java/android/content/ContextWrapper.java

@@ -430,4 +430,9 @@ public class ContextWrapper extends Context {
         throws PackageManager.NameNotFoundException {
         return mBase.createPackageContext(packageName, flags);
     }
+
+    @Override
+    public boolean isRestricted() {
+        return mBase.isRestricted();
+    }
 }

core/java/android/view/View.java

@@ -1996,6 +1996,11 @@ public class View implements Drawable.Callback, KeyEvent.Callback, Accessibility
                     mMinHeight = a.getDimensionPixelSize(attr, 0);
                     break;
                 case R.styleable.View_onClick:
+                    if (context.isRestricted()) {
+                        throw new IllegalStateException("The android:onClick attribute cannot " 
+                                + "be used within a restricted context");
+                    }
+
                     final String handlerName = a.getString(attr);
                     if (handlerName != null) {
                         setOnClickListener(new OnClickListener() {

core/java/android/widget/RemoteViews.java

@@ -856,7 +856,7 @@ public class RemoteViews implements Parcelable, Filter {
 
         if (packageName != null) {
             try {
-                c = context.createPackageContext(packageName, 0);
+                c = context.createPackageContext(packageName, Context.CONTEXT_RESTRICTED);
             } catch (NameNotFoundException e) {
                 Log.e(LOG_TAG, "Package name " + packageName + " not found");
                 c = context;

test-runner/android/test/mock/MockContext.java

@@ -397,4 +397,9 @@ public class MockContext extends Context {
             throws PackageManager.NameNotFoundException {
         throw new UnsupportedOperationException();
     }
+
+    @Override
+    public boolean isRestricted() {
+        throw new UnsupportedOperationException();        
+    }
 }